From owner-freebsd-security Wed Feb 5 12:37:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id MAA09736 for security-outgoing; Wed, 5 Feb 1997 12:37:25 -0800 (PST) Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA09688; Wed, 5 Feb 1997 12:36:16 -0800 (PST) Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id OAA27596; Wed, 5 Feb 1997 14:36:14 -0600 (CST) Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id OAA12786; Wed, 5 Feb 1997 14:36:11 -0600 (CST) From: Karl Denninger Message-Id: <199702052036.OAA12786@Jupiter.Mcs.Net> Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE To: gibbs@narnia.plutotech.com (Justin T. Gibbs) Date: Wed, 5 Feb 1997 14:36:11 -0600 (CST) Cc: karl@Mcs.Net, jgreco@solaria.sol.net, Guido.vanRooij@nl.cis.philips.com, joerg_wunsch@uriah.heep.sax.de, core@freebsd.org, security@freebsd.org, jkh@freebsd.org In-Reply-To: <199702052028.MAA00483@narnia.plutotech.com> from "Justin T. Gibbs" at Feb 5, 97 12:28:11 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >The FIX is the go through setlocale() and fix the holes in the code! > >Nothing else is adequate, and every other path is a LOT more work. > > Every method for fixing this, and numerous other potential problems with > 2.1.6, 2.2, and 3.0 requires study, and after acceptance, careful coding, > a review process, and documentation. To do otherwise is to open us to a > recurring cycle of security whole/quick fix/security whole/quick fix. Core > has already determined a course of action on these issues and a statement > regarding the entire issue will be released once it has passed final review. I was told that this release would be posted LAST NIGHT. Its 15 hours beyond "last night". No information has been posted. Why? I've now provided a patch. Either commit it or get off the pot. > This will only serve to confuse our userbase about what the exact problem > is, which releases and binaries are affected, and how to address the problem > completly. During Core's investigation of this problem, much more information > then you provided has surfaced all of which will be communicated in our > announcement. That's false. The setlocale() problem is fixable with a patch to setlocale(). > >2.2 is ALSO affected. That's being IGNORED right now. > > Not true. Simply because you are not privy to the discussions about this > issue does not mean that we are ignoring anything. Our announcement will > have information on *all* versions of FreeBSD that have this problem. Keeping the discussion private (ie: "not privvy") means you believe there's something to hide. I disagree. Either discourse in public or it doesn't count in my book. Again, the talkd bug handling is what got me going on this generic issue with FreeBSD. Now we have a much more serious one. > Your attitude has not been one of, "Here is the problem, how can I direct > the resources at my disposal to help the project correct it." Instead, > you have pronounced yourself the "unsung hero" of security that will create > a solution of your own liking and publish whatever (dis)information you > see fit. As I mentioned before, this only adds to the confusion. Bullshit. I have now published a patch which corrects the problem in setlocale(). > If you have the resources to contribute to fixing this problem, all you need > to do is promise to cooperate in a controlled effort and we'll happily accept > your help. Right now, you look like a loaded gun with the safety off and we > cannot afford that kind of instability while we work to handle this delicate > situation. CORE created the loaded gun by mishandling the talkd problem. You further exacerbated it with this mess. Now you have a patch in hand. > >My fealty isn't to the core team. Its to the people out there who run the > >code, and to those who I've recommended use the software in question. > > Then quit confusing them with your comments and wait for our pending security > announcement which will have all of the facts straight and give proper > guidlines for securing an affected system. In a pig's eye. THAT goal could have been accomplished within hours. I waited for the promised announcement last night. It never came. Now I've coded a patch to fix the problem. Its been posted, and I'm verifying it. If it passes my inspection I want it committed, or a damn good reason why it won't be. NOW. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service | 99 Analog numbers, 77 ISDN, Web servers $75/mo Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 773 248-9865] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal